PEP Episode 071 — The VAMP Era: Why Your Merchant Portfolio May Be Riskier Than You Think ft. Sound Commerce

The VAMP Era Is Here: What Payments Pros Must Know Before It’s Too Late

Think MATCH was hard to navigate? VAMP just rewrote the risk rulebook.

In this high-impact episode, Christopher Dryden, Esq., and COO, Jeremy Stock, sit down with Matt Steinbrecher of Sound Commerce (https://sound-commerce.com/) to unpack the hidden compliance traps now emerging in merchant processing. Whether you’re an ISO onboarding merchants, a payfac dealing with CNP risk, or an investor evaluating portfolios—this episode is your early warning system.

🔍 Inside the Episode:

🚨 VAMP Isn’t Just a Buzzword—It’s Reshaping Risk Allocation

Card-not-present merchants are under a microscope. With fines expected in Q4, underwriting guidelines are tightening fast.

More ISOs are mandating RDR/Ethoca enrollment upfront. But does it help—or just shift risk silently?

🔒 The Visibility Problem: Enforcement Actions You’ll Never See

You can’t mitigate what you can’t see. We reveal how current KYC/KYB protocols fail to flag prior brand enforcement—leaving acquirers exposed to massive liability.

TC40s, dispute ratios, and fraud patterns—why they matter now more than ever.

⚠️ Case Study: The Stripe Termination No One Saw Coming

A merchant with 7 years of clean history, solid revenue, and low chargebacks was dropped without warning.

Funds frozen, tokens locked, back office access revoked. Could VAMP-related algorithms be driving silent purges?

💸 M&A Fallout: How Hidden Risk Distorts Portfolio Value

We explore how prior brand violations can kill a deal, increase reserves, and skew acquisition pricing.

For buyers and sellers alike, compliance due diligence is now mission-critical.

🧠 What Smart Acquirers and ISOs Should Do Next

Don’t wait for a fine to learn you’re out of compliance. We break down:

• Monitoring VAMP ratios and TC40s per MID
• Demanding API-level RDR visibility
• Building attestation forms for boarding
• Negotiating token migration rights and refund runways
• Creating responsible offboarding flows (escrow-backed refunds, sunset terms, and portability)

🧩 Why This Episode Matters:

VAMP is not just compliance—it’s market structure. As enforcement rises, smaller high-risk shops may vanish, while those who plan ahead will own the next era of acquiring. Whether you’re working in underwriting, ops, portfolio acquisition, or product strategy, this episode is a blueprint for navigating what’s next.

Ever tried to board a merchant and wondered what you can’t see? We pull back the curtain on the blind spots that matter most: prior card‑brand violations, second‑strike liabilities, and how surcharging and dual pricing mistakes can snowball into five‑figure fines you never saw coming. With Matt Steinbrecher of Sound Commerce, we explore what VAMP could mean for acquirers, ISOs, and POS providers—and why today’s KYC/KYB isn’t built to surface nonpublic enforcement history.

We compare VAMP’s likely mechanics to dispute monitoring programs and MATCH, unpack where ambiguity lives, and debate whether fines and ratios could become stealth triggers for merchant suppression or de facto blacklisting. Then we look at the market effects: why unclear rules can push merchants to play “duck‑duck‑goose” with acquirers, how incentives around fines complicate transparency, and the reason consolidation across U.S. acquiring may accelerate as smaller high‑risk shops face tougher oversight. If you buy or sell portfolios, we get specific on origination quality, stickiness, and how hidden compliance histories distort valuation, reserves, and integration risk.

Still, there’s opportunity. We map how tier‑one processors can responsibly expand into higher‑risk verticals—travel, nutraceuticals, deferred delivery—by building sharper underwriting, merchant education, and real‑time controls. We offer practical steps: ask targeted history questions at boarding, require attestations on prior brand actions, tighten POS receipt/signage defaults, and negotiate disclosures and indemnities in M&A. If VAMP becomes the new gravity in payments risk, the winners will be those who see around corners, price inherited exposure, and coach merchants out of avoidable mistakes.

*Matters discussed are all opinions and do not constitute legal advice.  All events or likeness to real people and events is a coincidence.*

Transcript

Matthew Steinbrecher (00:00):

You can go into public records in all the different states that I’ve lived in and figure out how many traffic tickets I got. And it’s pretty easy. If you know how to dig through public record databases and you kind of have an aggregated platform, you can do that and that’s the kind of stuff that you pull. But the problem is that Visa is not a public company. That’s what I’m saying. They’re a public company, but they’re not a government agency. And so they have no, without transparency

Christopher Dryden (00:26):

Possibility, without the transparency. How do I know that I’m not onboarding a merchant who if they screw up again, it’s a hundred or a $200,000 brand violation for something that’s fairly simple. It’s just a repeat offender. And how am I supposed to even determine that? And then I’m on the hook for that, right?

Matthew Steinbrecher (00:45):

And I don’t think there’s no incentive for the acquirer who gets hit with the initial violation to, because they’re like, cool, you’re blacklisted on our channel. Get out, you’re off. Here’s your fine. Be gone. And they don’t have a responsibility to their competitors to go and be like, Hey guys, this guy screwed up and he had a 200 K fine. Don’t board him. Again,

Jeremy Stock  (01:13):

Welcome to the Payments podcast, a podcast of global legal law firm. We hope you enjoy this episode.

Christopher Dryden (01:27):

So I have some POS guys. They sell POS systems primarily. They’ve got processing attached to many of their POS systems. One of the biggest topics is dual pricing. We get so many calls these days about, what’s the signage I have to have? Dude, I’m watching. This is for anybody who’s watching this that actually cares about our podcast. I’m going to do one very soon about this issue. But we even have agents out competing against other agents, creating violations with dual pricing or on tickets to then go resell the merchant that got violated, that they contribute in the violation or, oh yeah. There’s all sorts of stuff going out there. And when it’s being reported to me, I’m just making notes, I’m going to have a whole talk about this, but the thing that I saw last week was these POS guys came to me and they said, Hey, we’ve got four merchants.

Christopher Dryden (02:22):

It’s $5,000. Here’s what the signage is. Here’s our POS signage. Here’s their signage, here’s what we’ve been doing, here’s what we’ve been telling people. And we went through the whole process of what’s compliant and what’s not. And when we got to the end, they were like, well, we just want to know they had a legitimate reason for why the receipt was wrong. And I said, look, you might be in violation of California law, but I think if you had a responsive party on the other side who wasn’t looking to ding you with a fine, the reason that you just gave me I think is kind of justifiable. This was a mistake, and it wasn’t intended as a wrongful surcharge. It was being done on credit and cash. It didn’t matter. It was a screw up with the POS system. Okay.

Christopher Dryden (03:15):

I said, I wouldn’t really, because you got to pay five grand to even oppose it. And I said, I wouldn’t really deal with it to be honest with you. But here’s the interesting part. You know that these are second violations, right? Because five grand second violation, thousand dollars the first, that means you inherited merchants that have a second or a first violation already. So your liability and risk is greater when you’re boarding this merchant. And it raised the question of is there any scrubbing process to scrub for prior violations? So I sent that off to some of our FSP clients. I thought that that was a great question. When I’m boarding a merchant, what liability am I taking on related to the card brand’s prior interaction with the merchant, right? Everybody knows that match exists, but is there any secondary reporting on a merchant related fines? I doubt that exists. So I thought that that was very interesting. But one of the FSPs got back to me and he says, well, they violated the rules. Why weren’t they matched?

Christopher Dryden (04:19):

I am thinking, well, because it’s like getting a speeding ticket. I already think that the punishment’s the fine, but it’s difficult to know the rules. They’re not really well published. People don’t know them. Otherwise I wouldn’t have a job to do. And so if you think about it, so we try to highlight some of these things and I’m looking at this particular situation, and then he said, well, I have liability against the prior ISO or recourse against the prior ISO because there was no reporting or the acquiring bank because that’s really where the reporting’s supposed to take place. So he raised a couple questions that I didn’t immediately have an answer to, which I thought were very interesting. But the point of my little example was, there’s no violation or there’s no match placement for a violation of the dual pricing guidelines. What about vm? What do you think they’re going to do and how are they going to do it? How are they actually going to equitably dole out fines and then dole out some sort of match placement? And then what is that unintended impact going to be on commerce in general? I mean, we already see the shady game of duck, duck, goose, IBO.

Christopher Dryden (05:40):

We see it all the time. I think that a lot of times when you have regime changes, you have unintended consequences that even if the intent was a good intent in general for the marketplace, there’s a lot of unintended consequences that take place. The example that I was talking about earlier. So do you think that they’re going to match merchants based on vamp ratios or I mean they’ll kill ’em, but is there going to be some sort of trigger where you’re like above a certain number and without even saying anything, boom, there’s match. And again, great for me, great for me. I’m not sure how great it’s going to be for US Commerce, but it’s going to be awesome for me. But what do you see happening with vamp violations?

Matthew Steinbrecher (06:30):

Yeah, it’s a good question, right? Because kind of the same thing right now where the ambiguity on the Visa dispute monitoring program or MasterCards program or whichever, you can get match listed today for excessive chargebacks on those programs. And I think that vamps going to operate in a pretty similar way, and maybe they just add another reason code for excessive fraudulent chargebacks on TC 40. I don’t know if that one exists today, but you probably do better than me off the top of your head, but no, no, not necessarily.

Christopher Dryden (07:04):

Yeah, we don’t get into the granular too often. I mean, I was interested in that. I’m also interested in, have you seen a scrubbing process so that I could actually properly analyze my risk by onboarding a merchant related to fines that I’m going to ultimately be responsible for?

Matthew Steinbrecher (07:22):

No, not really. I mean, so there’s a few ways you can do it. And a lot of people do it through their KYC and KYB checks, like proper acquirers or whatever. When they’re bringing merchants on board, obviously you look for bankruptcy, the UBO and of course the entity and any sort of outstanding collections, stuff like that, that’s super easy to run in databases. What’s a little bit more granular on top of that is outstanding or previous tickets. So you can look at with most people, if you have Matthew Steinbeck as my name, you can go into public records in all the different states that I’ve lived in and figure out how many traffic tickets I got. And it’s pretty easy if you know how to dig through public record databases and you kind of have an aggregated platform, you can do that and that’s the kind of stuff that you pull. But the problem is, is that Visa is not a public company. That’s what I’m saying. I’m, they’re a public company, but they’re not a government agency. They have, without transparency,

Christopher Dryden (08:22):

Without the transparency, how do I know that I’m not onboarding a merchant who if they screw up again, it’s, or a $200,000 brand violation for something that’s fairly simple, it’s just a repeat offender and how am I supposed to even determine that? And then I’m on the hook for that, right? I, and

Matthew Steinbrecher (08:41):

I don’t think there’s no incentive for the acquirer who gets hit with the initial violation to because they’re like, cool, you’re blacklisted on our channel. Get out, you’re off. Here’s your fine, be gone. And they don’t have a responsibility to their competitors to go and be like, Hey guys, this guy screwed up and he had a 200 K fine. Don’t board him again. And there’s definitely in the agent ISO world, there’s lists and we talk and we can sniff things out, but from a much higher level of scale of millions and millions of mids getting created every month, yeah, there’s no way to do it. And I imagine that’s one of the gaps that probably Visa is going to run into pretty quickly here is that they have to have some way similar to a match list where they’re tracking those violations, but maybe not with Match. You could have a shitty month with e-commerce and your warehouse lights on fire and you’ve got a bunch of orders outstanding and you’re like, Hey guys, we’re going to refund your orders. We’re getting a new warehouse, whatever. That’s a very real world, totally gray area example. But your chargebacks could go through the roof. You got a bunch of pissed off customers. They’re like, I don’t care if you want to refund too late. I charged it back

Christopher Dryden (10:06):

And look to the credit of the acquiring banks, because we don’t go to Visa, MasterCard, really. We go to every now and then we bump into ’em. But to the credit of the acquiring banks, when there’s a real world situation, they do listen and we get a lot of people off. I mean, we do. We get a lot of people off far more than pre COVID. You got placed on MA TMF, you’re done today. It feels like there’s definitely a little more latitude and definitely a more responsive ear. But I’m sitting there looking at it from the context of it can’t be through match, otherwise you would match place them. But what about a secondary reporting database that tracks previous fines against EINs? I don’t think they’re incentivized to do it because every fine they collect it is just more money for them. I mean, again, it’s like it is a regime that they have oversight sort of chargebacks where they are assessing fines, collecting those, and they’re not doing anything for the money. It’s just penalizing people within and look sometimes rightfully penalizing people that are operating in their ecosystem. But there’s a lot of times where it’s very difficult when you’re the arbiter of all of the decisions and it goes directly to your for-profit bottom line. You got to wonder how much machination goes in there. That seems a little self-serving. I don’t really know.

Christopher Dryden (11:37):

It’s kind of what this box is about. I feel

Matthew Steinbrecher (11:41):

Like this is a good example. I never really thought about it like that, which is super interesting because I mean, you have your match list, you have Mac alerts, and then it’s Mac alerts is really just kind of a community for underwriters to flag stuff to each other, but it’s not an official process. Almost like with Match, it’s very ambiguous and there’s no cohesive rule set that’s publicly listed. It is like, here you go. In the same way Visa localization rules are posted on their website and you can read through ’em and they make sense, and there’s nothing like that yet. But I suspect there will be because I can imagine. So one of the things I think that’s going to happen is there’s going to be a huge consolidation. I think Visa introduced Vamp and Ping ponged all the rules around quite a bit because what they’re trying to do is minimize the number of direct acquirers principal members in the US and pick the good players.

Matthew Steinbrecher (12:40):

And I think that they’re going to try to consolidate some of these higher risk shops and have them fold into larger players who have more risk to be able to balance the portfolio. I think that’s one of my sneaking suspicions of Tinfoil hat for a second of why I think ultimately they may have done it is because it’s less stuff for them to regulate and they can start to consolidate the market a little bit more. And I think that smarter players like the much larger tier one processors, I think that they’re going to wise up at some point and realize that they might have an opportunity to sort of take in some of these maybe higher risk portfolios or whatever. But once that consolidation happens, what we just spoke about is absolutely true. And if I’m a owner of a high risk acquiring bank in the US and I sell to whoever, some Stripe, for example, I’m out, I sold my shares, I’m done, I cashed out, I’m good.

Matthew Steinbrecher (13:40):

You bought my book and that’s that. And I don’t really, I may not have a responsibility in those terms to tell you what’s going on. Or same thing. Some of these guys might just fold. They might just close shop. They may say, great, we’re taking a bunch of reserves and we’re going to fold or have to go into administration depending on the situation. And so I think those are much smaller players, but I think there’s going to be that consolidation and I think that’s where you’re going to start to run into Visa, having to look at some sort of program to look at the violations.

Christopher Dryden (14:13):

Well, it’s funny you said that about the portfolio and selling. I’ve got, I talked to some guys yesterday, money guys that are coming over from Merchant Cash Advance wanting to do some funding for people that buy portfolios, but they’re virgins in the industry. They don’t understand the purchase. And one of the guys who’s like, he’s got a business degree from Georgetown, he’s fucking smart guy. He says, I don’t know what I don’t know, but this seems really simple. This guy’s acquisition model seems very, very simple. And I was like, yeah, man. I mean, really to me it’s about the origination of account when you originate an account where that account originates from will determine the stickiness, whether or not you’re seeing attrition. And a lot of the portfolio that they were first analyzing were bank referrals. And I’m like, look, unless the bank goes under or the customer’s pissed at the bank, this account’s not going anywhere for a long period of time.

Christopher Dryden (15:13):

This is one of the, even if there’s a rate increase as a cost of living adjustment almost, right, you’re still going to see that merchant staying right there because they’re bundled in with loans. They’re bundled in with all sorts of other financial products with the bank, their deposit accounts. I said, that’s like the holy grail right there of buying a portfolio. You’re going to be counting the money for a long time, and that’s not even considering the future business with the bank as they continue to acquire customers and onboard ’em. I said, see, it really does come down to what does it look like? Because there’s more impact, again, unintended consequences. What you just described was what’s going to happen to purchasers coming into purchase portfolios, not understanding the real risk associated with some of those portfolios and not having data in order to analyze that risk based on what we’ve been talking about here, right? Yeah.

Matthew Steinbrecher (16:11):

Yeah. Just no visibility. They’re going in blind.

Christopher Dryden (16:13):

Yeah, totally. Well, look, man, what do you want to leave us with?

Matthew Steinbrecher (16:19):

I don’t know. I’d say more will be revealed for sure. I think November is probably when we’re going to really start to see the blood bath unfold if we see it at all. But yeah, what I mentioned before, I really think there’s going to be a consolidation shift here. Probably it’ll start moving within the next six months, but I’d say by Q3 next year we’re going to start to see some movement and some m and a in the space, particularly in US acquiring small acquirers, I think are going to start getting swallowed up or merging just in order to balance the books better. And I for sure see that coming as part of this, based on everything I’m seeing and hearing and the general buzz, I feel like that’s probably one of the unintended consequences, maybe intended consequence from Visa.

Christopher Dryden (17:10):

You think it’ll make it okay. Without giving away secret sauce, what opportunity do you see for yourself in that scenario?

Matthew Steinbrecher (17:21):

I’ve been approaching some of the larger tier one players with viable strategies. Traditionally a company that would only take a certain type of risk profile, since every acquirer has their niche for the most part, and maybe they won’t take a certain type of risk profile or a certain industry, they just don’t touch it and approaching them tax fully and saying, look, there’s an industry here and there’s an opportunity. And yes, your underwriting and risk team may not fully understand this industry. Travel, for example. Usually really low margin, huge delays in funding times, very high bankruptcy risk, very complex market. You see something like that, you go to someone and say, look, you can make a lot more margin in this industry if you are able to tackle it. Maybe nutraceuticals, for example. Adyen is a good example. They came into the US market. They dominate in Europe.

Matthew Steinbrecher (18:19):

They came into the US market trying to fight Stripe and checkout.com for the most part. And they didn’t touch any nutraceuticals initially. And now they’re pushing very hard and winning a lot of business in that space. And I think they’re starting to see that there’s an opportunity in certain verticals that maybe they wouldn’t touch before, but now they understand, well, when we look at our balanced portfolio, we can sort of take on some of these higher risk verticals that we traditionally wouldn’t have done. And that’s where I think we’re going to start seeing some of that cannibalization and m and a activity is you’re going to have larger shops like that saying, well, great, we’re processing payments for Airbnb and Uber and Google. We don’t have a whole lot of chargeback risks. So we could take some things on maybe a small local airline in the US or something like that, or a larger nutraceutical shop who generally has higher chargeback rates for whatever reason.

Matthew Steinbrecher (19:13):

And that’s where I see the biggest opportunity right now. What I’ve been looking at is how can some of these traditionally standoffish players look at some of these new verticals and dive into them, but responsibly, right, there’s a good way to ramp up and do it responsibly. It’s very easy to get caught up in a new industry and just get burned, and we see that time and time again with different shops and portfolios that grow up and then blow up. But yeah, that’s probably the biggest opportunity that I see in what I’ve been navigating right now.

Jeremy Stock  (19:47):

Awesome. Excellent. You guys, that was a great conversation, Matt. So much. We’re so grateful for you joining us once again, everybody listening, please. You can find Matt Steinbrecker sound commerce@soundcommerce.com. We’ve got all the information down below. Thank you for this conversation today. We’re looking forward to the next one. Thank you for listening to this episode of the Payments Experts Podcast, a podcast of global legal law firm. Visit us online today at global legal law firm.com. Matters discussed are all opinions and do not constitute legal advice. All events or likeness to real people and events is a coincidence.